Skip to navigation

CVE Database

CVE-2012-5885

Impact: Moderate
Public: 2012-11-05
Bugzilla: 873664: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues
IAVA: 2013-A-0219

Details

The MITRE CVE dictionary describes this issue as:

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

Find out more about CVE-2012-5885 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 5.0
Base Metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
JBoss Data Grid 6.1 RHSA-2013:0665 March 20, 2013
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1006 July 01, 2013
Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2013:0640 March 12, 2013
Red Hat Enterprise Linux version 6 (tomcat6) RHSA-2013:0623 March 11, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jbossweb) RHSA-2013:0629 March 11, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jbossweb) RHSA-2013:0629 March 11, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jbossweb) RHSA-2013:0629 March 11, 2013
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0632 March 11, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) RHSA-2013:0647 March 14, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) RHSA-2013:0647 March 14, 2013
Red Hat JBoss Enterprise Application Platform 6.0 RHSA-2013:0648 March 14, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2013:0726 April 09, 2013
Red Hat JBoss Web Platform 5 for RHEL 4 AS (jbossweb) RHSA-2013:0631 March 11, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server (jbossweb) RHSA-2013:0631 March 11, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server (jbossweb) RHSA-2013:0631 March 11, 2013
Red Hat JBoss Web Platform 5.2 RHSA-2013:0633 March 11, 2013
Red Hat JBoss Web Server 2 for RHEL 5 Server (tomcat6) RHSA-2013:0266 February 19, 2013
Red Hat JBoss Web Server 2 for RHEL 6 Server (tomcat6) RHSA-2013:0266 February 19, 2013
Red Hat JBoss Web Server 2.0 RHSA-2013:0265 February 19, 2013

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.